NIST creates new challenges for HSPD-12 access systems

SP800-116 defines PIV credentials in the physical access control system


With this information available, the next challenge is to augment or install a new PACS including readers that are capable of meeting the requirements. As described above, even single-factor authentication has evolved from a simple card issued to the cardholder, to something more sophisticated. Now the card must be authenticated before the data is accepted. Asymmetric card authentication will require validating the certificate (as described as "at or near the time of authentication") in real-time with online certificate infrastructure.

Since PACS are traditionally configured with fixed or wall-mounted readers, the requirement for CAK authentication will require new readers capable of reading large amounts of data from the PIV card quickly. These readers will have to be connected to online infrastructure such as certificate authorities, certificate revocation lists, and other similar public key infrastructure functions. For many agencies, this means new readers. For some it is new PACS and new PKI infrastructure, or at a minimum, allowing the logical access control system to be on the same network with a physical access control system.

Other security related functions will necessarily come along with the PACS onto the logical network; those may include video surveillance, IP-based intercom, IP-based storage, and security monitoring workstations. These functions put incredible demands on bandwidth of the network, therefore, network architecture changes may also be required.

Migration is the key

NIST has identified the goal for security managers at federal facilities. However, it is up to the facility security managers to determine the path. NIST has developed the PIMM to allow people to understand and advertise their progress toward compliance with the PIV vision. Yet, there are many challenges to getting there. The reader will have recognized that there are significant costs associated with various parts of the end-point solution: network bandwidth requirements, network segmentation and services availability, PKI infrastructure, and connection with a federal bridge to other agencies' PKI infrastructure, a new breed of PIV readers, and possibly the PACS to support it.

The readers required to support CAK have only recently been made available. Support for digital certificates in the PACS world is very new. There are limited resources available to the security manager. There is a limited number of vendors providing compatible products, and there is a number of integration service providers with the PKI knowledge to fit the pieces together. Finally, test procedures are not yet in place to provide compliance certification.

The future will be much more secure due in part to NIST SP800-116, but the road to get there will surely be a challenging one. Partnership is going to be the key. Security managers should build a team of dedicated stakeholders including internal personnel (in particular, IT management), security integrators, and PACS vendors. The solution will come together when everyone works toward a common goal with all assumptions and requirements clearly communicated across disciplines. A good PACS manufacturer should be willing to work with the team, blaze a trail through new territory, be able to provide the equipment and knowledge to enable the smooth transition, and support the team throughout.

About the author: Adam Shane is a product manager with AMAG Technology. Adam is the primary technical interface between AMAG Technology and the federal government and physical security industry efforts on standardization.